Patent · US Active

Detection of SYSENTER/SYSCALL hijacking

US7617534B1 · kind B1 · utility

27Cited by

10References

15Claims

0Family size

Assignee

Symantec Corporation · US

Inventors

Peter Szor · San Fernando, US
Peter Ferrie · Los Angeles, US
Matthew Conover · Mountain View, US

Key dates

Filing date	Aug 26, 2005
Grant date	Nov 10, 2009
Priority date	—
Expiry date	Sep 28, 2027

Classification

Technology area (CPC G)Physics
CPC primaryG06F21/575
WIPO fieldComputer technology
WIPO sectorElectrical engineering

Abstract

Techniques are disclosed for detecting manipulations of user-kernel transition registers (such as the SYSENTER/SYSCALL critical registers of Intel/AMD processors, respectively), and other such registers. In one embodiment, a register monitor agent is deployed at system boot-up, and continues monitoring target registers for manipulation during system use. If a manipulation is detected, then exclusions are checked to see if that manipulation is legitimate (e.g., caused by a trusted source). If not a legitimate manipulation, then reporting and/or corrective action can be taken. The techniques can be used in real-time and in any number of behavior blocking, antivirus, and/or intrusion prevention applications.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.